Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

OnePlus Attackers Steal Credit Card Data From 40,000 Customers

Days after receiving initial reports about fraudulent activity, the mobile phone vendor reveals that attackers were able to get a malicious script onto its website that stole user credit card information.

WEBINAR:On-Demand

Mobile phone vendor OnePlus announced on Jan. 19 that it was the victim of a security breach that exposed credit card information of up to 40,000 customers.

The admission that there was a data breach comes three days after OnePlus announced that it was temporarily disabling credit card payments on its website. OnePlus disabled the credit card payments on Jan. 16, after receiving reports from customers that they were seeing unknown credit card charges after buying something online from OnePlus.

"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus stated in an advisory on the breach.

The attack appears to had been ongoing from mid-November 2017 until Jan. 11, 2018, OnePlus said. According to the company, credit card information (card numbers, expiration dates and security codes) that was entered on the Oneplus.net site may have been compromised. Users who saved their credit card information on the site, as well as those who use PayPal, do not appear to be impacted by the breach, however.

Further reading

OnePlus' investigation into the data breach found that a malicious script was operating intermittently on the Oneplus.net site. The script was able to capture data from end users' web browsers and then send that data to the attacker. According to OnePlus, it has now eliminated the immediate risk.

"We have quarantined the infected server and reinforced all relevant system structures," OnePlus stated.

What remains unclear is how the malicious script got onto the OnePlus server in the first place and why it wasn't caught by security technology. The company is now working with its technology providers as well as law enforcement to further investigate the security incident.

"We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit," OnePlus stated. "All these measures will help us prevent such incidents from happening in the future."

Chris Morales, head of security analytics at Vectra, said he is impressed with the expediency and thoroughness OnePlus is taking in providing its customers with a breach notification. That said, Morales noted that while it is unfortunate that the breach occurred, it is not at all surprising.

"This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation," Morales told eWEEK.

What Should End Users Do?

OnePlus recommends that its customers check their credit card statement and immediately report any unrecognized charges. The company will also be providing credit card monitoring services to impacted customers.

"Unfortunately, there is not much a consumer can do to prevent being victimized as part of a breach," Shawn Kanady, principal security consultant at security Trustwave, told eWEEK.

Kanady added that online shopping will always be risky for the consumer so it becomes more of an awareness and detection issue for the everyday shopper. In his view, the key is to understand the risk and set up some safeguards.

Among the online safeguards that Kanady recommends for online shoppers are the following:

Set up text-based alerts on your bank/credit account for any transaction over a certain dollar amount. It could be $1.

Set up accounts that are only used when shopping online. Segregating your accounts will prevent fraud on your high-value accounts like your checking account.

Do not opt-in on saving your credit card information for later billing.

Use prepaid cards or a PayPal account for online shopping, allowing for an extra layer between the attacker and your real accounts.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.